Discussion:
[Freeipa-users] IPA users can't log in to SDDM
Tyrell Jentink
2017-03-14 19:10:04 UTC
Permalink
I have users in an AD Domain, my FreeIPA server is set up with an
interforest trust, and users can log in using SSH or virtual terminals on
any system joined to the IPA domain, and I have Samba authenticating
against these users on another server... Things are good...

Until I try logging in to the Fedora 25 KDE Respin from the desktop manager
(SDDM), in which case it goes to a black screen, with an X as a cursor, but
nothing else... This is my first attempt at logging a remote user in
through the GUI, and KDE/SDDM is the default configuration on Fedora KDE
Respin, thus the combination in question... I haven't tried anything else.

Some diagnostics I have tried:

If I log in to a virtual terminal and run startx, then I get KDE,
regardless of the user.
If I log in to SDDM/KDE using a local user, then I get KDE.
If I log in to SDDM/KDE using an IPA user, I get the black screen...
But, the audit and security logs show that the user successfully
authenticated. Dmesg shows the user getting authenticated successfully and
user contexts changing successfully.


So, I'm left assuming this is a problem with SDDM somewhere, but only with
remote users... And my logs aren't giving me any hints.

Any ideas? Any logs in particular that I should be looking at?
Alexander Bokovoy
2017-03-14 19:46:28 UTC
Permalink
Post by Tyrell Jentink
I have users in an AD Domain, my FreeIPA server is set up with an
interforest trust, and users can log in using SSH or virtual terminals on
any system joined to the IPA domain, and I have Samba authenticating
against these users on another server... Things are good...
Until I try logging in to the Fedora 25 KDE Respin from the desktop manager
(SDDM), in which case it goes to a black screen, with an X as a cursor, but
nothing else... This is my first attempt at logging a remote user in
through the GUI, and KDE/SDDM is the default configuration on Fedora KDE
Respin, thus the combination in question... I haven't tried anything else.
If I log in to a virtual terminal and run startx, then I get KDE,
regardless of the user.
If I log in to SDDM/KDE using a local user, then I get KDE.
If I log in to SDDM/KDE using an IPA user, I get the black screen...
But, the audit and security logs show that the user successfully
authenticated. Dmesg shows the user getting authenticated successfully and
user contexts changing successfully.
So, I'm left assuming this is a problem with SDDM somewhere, but only with
remote users... And my logs aren't giving me any hints.
Any ideas? Any logs in particular that I should be looking at?
"Black screen" with SDDM is a fairly known issue -- you can look at
https://bugzilla.redhat.com/show_bug.cgi?id=1350107, for example. Or
https://github.com/sddm/sddm/issues/756, or many other distros. It looks
like SDDM is crashing internally on many conditions. The bug in Red Hat
bugzilla has at least three different cases where SDDM crashes.

I'd suggest you to file a bug and attach system logs to it. You can use
SSSD troubleshooting guide to create SSSD debug logs (domain, pam, nss,
and selinux sections at least) but also attach logs for sddm and audit.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tyrell Jentink
2017-03-14 21:07:53 UTC
Permalink
Oh, you are quite right... It's even identified in the project scope of the
original proposal to switch from KDM: "Fix the bugs affecting log in: PAM
stack integration and LDAP user lists" --
https://fedoraproject.org/wiki/Changes/SDDMinsteadOfKDM

I'm just going to switch back to KDM... Should solve my problem.

Thank you!
Post by Alexander Bokovoy
Post by Tyrell Jentink
I have users in an AD Domain, my FreeIPA server is set up with an
interforest trust, and users can log in using SSH or virtual terminals on
any system joined to the IPA domain, and I have Samba authenticating
against these users on another server... Things are good...
Until I try logging in to the Fedora 25 KDE Respin from the desktop manager
(SDDM), in which case it goes to a black screen, with an X as a cursor, but
nothing else... This is my first attempt at logging a remote user in
through the GUI, and KDE/SDDM is the default configuration on Fedora KDE
Respin, thus the combination in question... I haven't tried anything else.
If I log in to a virtual terminal and run startx, then I get KDE,
regardless of the user.
If I log in to SDDM/KDE using a local user, then I get KDE.
If I log in to SDDM/KDE using an IPA user, I get the black screen...
But, the audit and security logs show that the user successfully
authenticated. Dmesg shows the user getting authenticated successfully and
user contexts changing successfully.
So, I'm left assuming this is a problem with SDDM somewhere, but only with
remote users... And my logs aren't giving me any hints.
Any ideas? Any logs in particular that I should be looking at?
"Black screen" with SDDM is a fairly known issue -- you can look at
https://bugzilla.redhat.com/show_bug.cgi?id=1350107, for example. Or
https://github.com/sddm/sddm/issues/756, or many other distros. It looks
like SDDM is crashing internally on many conditions. The bug in Red Hat
bugzilla has at least three different cases where SDDM crashes.
I'd suggest you to file a bug and attach system logs to it. You can use
SSSD troubleshooting guide to create SSSD debug logs (domain, pam, nss,
and selinux sections at least) but also attach logs for sddm and audit.
--
/ Alexander Bokovoy
--
Tyrell Jentink
tyrell.jentink.net
Loading...